Agari researchers seized unique credentials belonging to fake characters from phishing sites posing as widely used enterprise apps, and waited to see what the phishers would do next with the compromised accounts .

They found that 23% of all accounts were accessed almost immediately (likely in an automated way, to confirm credentials worked), 50% of accounts were accessed manually within 12 hours of the compromise, and 91% of Compromised accounts were manually accessible during the first week.

How are compromised accounts used?

The phishing pages where the researchers planted the unique credentials impersonated Microsoft OneDrive, Office 365, SharePoint, Adobe Document Cloud, or just (generically) Microsoft.

After six months, they detected activity in nearly 40% of their “compromised” accounts.

“Although the majority of compromised accounts (64%) were only viewed once, a number of accounts were accessed multiple times over an extended period of time. In fact, one account was viewed 94 times out of a period of four and a half months, a prime example of the persistent and continuous access that cybercriminals maintain on compromised email accounts,” they noted.

Attackers use hacked corporate mailboxes to identify employees who have access to a company’s financial/payment information system. They often set up email forwarding or forwarding rules to get an immediate overview of incoming and outgoing emails.

Some of the attackers move from email to other Office 365 applications, the researchers noted, and use them to search for valuable documents or even to download files (fake invoices and the like) that will be used for phishing attacks or subsequent fraud attempts.

But, most of the time, the attackers used the hacked email accounts to send more phishing emails, sometimes targeting specific industries and sometimes a wide variety of them, and to set up an infrastructure of additional Business Email Compromise (BEC) (for example, to sign up for a variety of services that will allow them to perform reconnaissance and lead generation, send emails, host malicious pages or create malicious documents).

“By tricking people into giving up their credentials, threat actors can use legitimate accounts to run their malware – a dream come true from their perspective,” the researchers noted.

And compromised accounts lead to more phishing emails and more compromised accounts and more phishing – and so on, in an endless cycle that should be stopped.